Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon5.gif   chain.crt, posted by Gerhard Schneider on Thu Sep 3 21:55:52 2009 
    icon2.gif   Re: chain.crt, posted by Stefan Ritt on Fri Sep 4 08:33:16 2009 
    icon2.gif   Re: chain.crt, posted by Gerhard Schneider on Wed Oct 7 07:56:52 2009 
Message ID: 66526     Entry time: Fri Sep 4 08:33:16 2009     In reply to: 66525
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Question  OS: Linux  ELOG Version: 2.7.7-2246 
Subject: Re: chain.crt  
> Like many educational institutions we get "educational certificates" that are chain certificates..
> 
> With apache the full certificate chain is working as expected..
> 
> For elog I copied the appropriate files to server.crt and server.key
> 
> Netscape 3 is happy with that setup, Internet Explorer and Opera are mentioning the open certificate chain.
> 
> When I tried to copy the file known as SSLCACertificateFile in Apache to chain.crt elogd does not longer work 
and 
> 
> openssl s_client -showcerts -connect <myserver>:<elogd_port>
> 
> only shows: 
> 
> CONNECTED(00000003)
> 25523:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562:

To be honest I'm not an expert on SSL. I just use following code inside ELOG to initialize the SSL connection:

SSL_CTX *init_ssl(void)
{
   char str[256];
   SSL_METHOD *meth;
   SSL_CTX *ctx;

   SSL_library_init();
   SSL_load_error_strings();

   meth = SSLv23_method();
   ctx = SSL_CTX_new(meth);

   strlcpy(str, resource_dir, sizeof(str));
   strlcat(str, "ssl/server.crt", sizeof(str));
   if (!file_exist(str)) {
      eprintf("Cerificate file \"%s\" not found, aborting\n", str);
      return NULL;
   }
   if (SSL_CTX_use_certificate_file(ctx, str, SSL_FILETYPE_PEM) < 0)
      return NULL;

   strlcpy(str, resource_dir, sizeof(str));
   strlcat(str, "ssl/server.key", sizeof(str));
   if (!file_exist(str)) {
      eprintf("Key file \"%s\" not found, aborting\n", str);
      return NULL;
   }
   if (SSL_CTX_use_PrivateKey_file(ctx, str, SSL_FILETYPE_PEM) < 0)
      return NULL;
   if (SSL_CTX_check_private_key(ctx) < 0)
      return NULL;

   strlcpy(str, resource_dir, sizeof(str));
   strlcat(str, "ssl/chain.crt", sizeof(str));
   if (file_exist(str))
      SSL_CTX_use_certificate_chain_file(ctx, str);

   return ctx;
}

Maybe I need something different for chain certificates, but I don't know. I just copied these calls from the 
example which comes with the libssl library which I'm using. Maybe somebody has an idea how this could be 
improved. Actually looking at the code I see that the 'chain.crt' file is used. If you send me your files 
privately I could try them and see if I get a specific error code from the SSL library.
ELOG V3.1.5-fe60aaf